b'                             FARM CREDIT ADMINISTRATION\n\n                       I\n                       NDEPENDENTACCOUNTANT\xe2\x80\x99  SREPORT\n                            ON AGREED-UPON PROCEDURES:\n                          FEDERAL INFORMATION SECURITY\n                           MANAGEMENT ACT EVALUATION\n\n                            For the Year Ending September 30, 2005\n\n\n\n\nHARPER, RAINS, KNIGHT & COMPANY, P.A.\n   CERTIFIED PUBLIC ACCOUNTANTS\n       RIDGELAND, MISSISSIPPI\n\x0c                    Agreed-upon Procedures Report: FISMA Evaluation\n\n\n\nTable of Contents\nExecutive Summary                                                      2\n\nIndependent Accountant\'s Report on Applying Agreed-Upon Procedures     3\n\nExhibit A \xe2\x80\x93Procedures and Results                                      4\n\nExhibit B \xe2\x80\x93OMB FISMA Reporting Template                                8\n\nAppendix A \xe2\x80\x93Agency Systems                                            12\n\nAppendix B \xe2\x80\x93Acronyms and Abbreviations                                14\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.,                     1\nfor the FCA Office of Inspector General\n\x0c                      Agreed-upon Procedures Report: FISMA Evaluation\n\n\n\nExecutive Summary\nThis report includes the agreed-upon procedures and the results from applying those procedures,\nspecified by the Farm Credit Administration\'s (FCA) Office of Inspector General, solely to assist\nwi ththea nn uale val\n                    ua ti\n                        onofFCA\xe2\x80\x99   ss ecur\n                                         itypr ograma  ndpr a cticesandr eporting requirements\nof the Federal Information Security Management Act (FISMA) submitted to the Office of\nManagement and Budget (OMB).\n\nFCA is an independent agency in the executive branch of the U. S. Government. It is responsible\nfor the regulation and examination of the banks, associations, and related entities that\ncollectively comprise what is known as the Farm Credit System (System). FCA promulgates\nregulations to implement the Farm Credit Act of 1971, and examines System institutions for\ncompliance with the Act, regulations, and safe and sound banking practices.\n\nThe system evaluations were performed following guidance issued by the National Institute of\nStandards and Technology (NIST) Self-assessment guide. The Office of Inspector General,\ndetermined the critical elements that represent essential tasks for establishing compliance with\nFISMA, and the guidelines issued by OMB, the Government Accountability Office (GAO), the\nChief Information Officer (CIO) Council, and applicable NIST guidance for each control\ncategory, including:\n\n       \xef\x82\xb7   documented security policies;\n       \xef\x82\xb7   documented security procedures;\n       \xef\x82\xb7   implemented security procedures and controls;\n       \xef\x82\xb7   tested and reviewed security procedures and controls; and\n       \xef\x82\xb7   fully integrated security procedures and controls.\n\nNo exceptions were noted during the performance of the agreed-upon procedures for determining\nFCA\xe2\x80\x99 scompl iancewi thFI SMA.\n\nOur procedures were performed in accordance with attestation standards established by the\nAmerican Institute of Certified Public Accountants and Government Auditing Standards issued\nby the Comptroller General of the United States.\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.,                                              2\nfor the FCA Office of Inspector General\n\x0c         Independent Accountant\'s Report on Applying Agreed-Upon Procedures\n\n\nThe Inspector General\nFarm Credit Administration\n\nWe have performed the procedures outlined in Exhibit A that were agreed to by the Farm Credit\nAdministration\'s (FCA or Agency) Office of Inspector General, solely to assist with the annual\neva l\n    ua t\n       iono  fFCA\xe2\x80\x99  ss ecur i\n                            typr og r\n                                    a ma  ndpr  acticesa ndr eport\n                                                                 ingr e quir\n                                                                           eme nt\n                                                                                soft  heFe  de r\n                                                                                               al\nInformation Security Management Act (FISMA) submitted to OMB. FCA\xe2\x80\x99             s management is\nresponsible for documented security policies, documented security procedures, implemented\nsecurity procedures and controls, tested and reviewed security procedures and controls, and fully\nintegrated security procedures and controls for its mission critical systems listed below. This\nengagement to apply agreed-upon procedures was conducted in accordance with the attestation\nstandards established by the American Institute of Certified Public Accountants and Government\nAuditing Standards issued by the Comptroller General of the United States. The sufficiency of\nthese procedures is solely the responsibility of the Inspector General of FCA. Consequently, we\nmake no representation regarding the sufficiency of the procedures described below either for the\npurpose for which this report has been requested or for any other purpose.\n\nThe agreed-upon procedures and related results of procedures are included in the attached\nExhibit A. The OMB FISMA Reporting Template, a required document of these agreed-upon\nprocedures, is included in Exhibit B.\n\nOur procedures covered the agency systems included in the attached Appendix A.\n\nWe were not engaged to, and did not, perform an examination or a review, the objective of which\nwould be the expression of an opinion on the FCA\'s security program and practices.\nAccordingly, we do not express such an opinion. Had we performed additional procedures, other\nmatters might have come to our attention that would have been reported to you.\n\nThis report is intended solely for the information and use of the FCA Inspector General and is\nnot intended to be and should not be used by anyone other than the specified party. This report\nshould not be used by those who have not agreed to the procedures and taken responsibility for\nthe sufficiency of the procedures for their purposes.\n\n\n\n\nSeptember 20, 2005\n\n\n\n       Harpe\n           r,Rains\n                 ,Knight&Company,P.\n                                  A.\xe2\x80\xa2Cert\n                                        if\n                                         iedPubli\n                                                cAccountant\n                                                          s\xe2\x80\xa2Cons\n                                                               ultants\n  OneHundr\n         edConcours\n                  e\xe2\x80\xa21052Highl\n                            andColonyPar\n                                       kway,Suite100\xe2\x80\xa2Ridgel\n                                                          and,Mis\n                                                                sissi\n                                                                    ppi391\n                                                                         57\n            Tel\n              ephone601.\n                       605.\n                          0722\xe2\x80\xa2Facsi\n                                   mil\n                                     e601.605.\n                                             0733\xe2\x80\xa2www. hrkc\n                                                          pa.\n                                                            com\n\x0cPages 4 through 7 removed\n\x0c                                                    Agreed-upon Procedures Report: FISMA Evaluation\n\n\nExhibit B \xe2\x80\x93OMB FISMA Reporting Template\n\n                                                                                                 Section C: Inspector General. Questions 1, 2, 3, 4, and 5.\n\n                                                                                                        Agency Name: Farm Credit Administration\n\n                                                                                                                       Question 1 and 2\n\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems, including information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. By FIPS\n199 risk impact level (high, moderate, low, or not categorized) and by bureau, identify the number of systems reviewed in this evaluation for each classification below (a., b., and c.).\n\n                To meet the requirement for conducting a NIST Special Publication 800-26 review, agencies can:\n                1) Continue to use NIST Special Publication 800-26, or,\n                2) Conduct a self-assessment against the controls found in NIST Special Publication 800-53\n\n                Agencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency, therefore, self reporting by contractors does not meet the requirements of\n                law. Self reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n\n\n2. For each part of this question, identify actual performance in FY 05 by risk impact level and bureau, in the format provided below. From the representative subset of systems evaluated, identify the number of systems which have\ncompleted the following: have a current certification and accreditation , a contingency plan tested within the past year, and security controls tested within the past year.\n\n                                                                                                          Question 1                                                                                     Question 2\n                                                                              a.                             b.                             c.                              a.                            b.                           c.\n                                                                     FY 05 Agency Systems             FY 05 Contractor            FY 05 Total Number of         Number of systems certified   Number of systems for      Number of systems for which\n                                                                                                          Systems                        Systems                    and accredited          which security controls have contingency plans have been\n                                                                                                                                                                                            been tested and evaluated in  tested in accordance with\n                                                                                                                                                                                                    the last year            policy and guidance\n\n\n                                        FIPS 199 Risk Impact          Total          Number          Total         Number                         Number           Total        Percent of       Total\nBureau Name                                    Level                 Number         Reviewed        Number        Reviewed       Total Number    Reviewed         Number          Total         Number        Percent of Total Total Number Percent of Total\nFarm Credit Administration                High                                 2                2            2               2              4               4              3         75.0%                3            75.0%              3           75.0%\n                                          Moderate                             1                1                                           1               1                          0.0%               1           100.0%              1          100.0%\n                                          Low                                                                                               0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Not Categorized                                                                                   0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                       Sub-total                               3                3            2               2              5               5              3         60.0%                4            80.0%              4           80.0%\nBureau                                    High                                                                                              0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Moderate                                                                                          0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Low                                                                                               0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Not Categorized                                                                                   0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                       Sub-total                               0                0            0               0              0               0              0     #DIV/0!                  0      #DIV/0!                  0    #DIV/0!\nBureau                                    High                                                                                              0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Moderate                                                                                          0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Low                                                                                               0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Not Categorized                                                                                   0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                       Sub-total                               0                0            0               0              0               0              0     #DIV/0!                  0      #DIV/0!                  0    #DIV/0!\nBureau                                    High                                                                                              0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Moderate                                                                                          0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Low                                                                                               0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Not Categorized                                                                                   0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                       Sub-total                               0                0            0               0              0               0              0     #DIV/0!                  0      #DIV/0!                  0    #DIV/0!\nBureau                                    High                                                                                              0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Moderate                                                                                          0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Low                                                                                               0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Not Categorized                                                                                   0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                       Sub-total                               0                0            0               0              0               0              0     #DIV/0!                  0      #DIV/0!                  0    #DIV/0!\nBureau                                    High                                                                                              0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Moderate                                                                                          0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Low                                                                                               0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Not Categorized                                                                                   0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                       Sub-total                               0                0            0               0              0               0              0     #DIV/0!                  0      #DIV/0!                  0    #DIV/0!\nBureau                                    High                                                                                              0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Moderate                                                                                          0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Low                                                                                               0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Not Categorized                                                                                   0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                       Sub-total                               0                0            0               0              0               0              0     #DIV/0!                  0      #DIV/0!                  0    #DIV/0!\nBureau                                    High                                                                                              0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Moderate                                                                                          0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Low                                                                                               0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                          Not Categorized                                                                                   0               0                    #DIV/0!                         #DIV/0!                       #DIV/0!\n                                       Sub-total                               0                0            0               0               0              0              0    #DIV/0!                   0      #DIV/0!                    0      #DIV/0!\nAgency Totals                              High                                2                2            2               2               4              4              3          75.0%               3           75.0%                 3            75.0%\n                                           Moderate                            1                1            0               0               1              1              0          0.0%                1         100.0%                  1          100.0%\n                                           Low                                 0                0            0               0               0              0              0     #DIV/0!                  0      #DIV/0!                    0      #DIV/0!\n                                           Not Categorized                     0                0            0               0               0              0              0     #DIV/0!                  0      #DIV/0!                    0      #DIV/0!\n                                       Total                                   3                3            2               2               5              5              3          60.0%               4           80.0%                 4            80.0%\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.,                                                                                                                                                                                 8\nfor the FCA Office of Inspector General\n\x0c                                                       Agreed-upon Procedures Report: FISMA Evaluation\n\n                                                                                                                           Question 3\n\nI\nnthef\n    orma\n       tbe\n         low,e\n             val\n               uat\n                 ethea\n                     genc\n                        y\xe2\x80\x99sove\n                             rsi\n                               ghtofc\n                                    ont\n                                      rac\n                                        tors\n                                           yst\n                                             ems\n                                               ,anda\n                                                   genc\n                                                      ysys\n                                                         temi\n                                                            nve\n                                                              ntor\n                                                                 y.\n\n                                       The agency performs oversight and evaluation to ensure information systems used or operated by a contractor of the agency or\n                                       other organization on behalf of the agency meet the requirements of FISMA, OMB policy and NIST guidelines, national security\n                                       policy, and agency policy. Self-reporting of NIST Special Publication 800-26 requirements by a contractor or other organization\n                                       is not sufficient, however, self-reporting by another Federal agency may be sufficient.\n\n                  3.a.                 Response Categories:                                                                                                                 - Almost Always, for example, approximately 96-100% of the time\n                                            - Rarely, for example, approximately 0-50% of the time\n                                            - Sometimes, for example, approximately 51-70% of the time\n                                            - Frequently, for example, approximately 71-80% of the time\n                                            - Mostly, for example, approximately 81-95% of the time\n                                            - Almost Always, for example, approximately 96-100% of the time\n                                       The agency has developed an inventory of major information systems (including major national security systems) operated by or\n                                       under the control of such agency, including an identification of the interfaces between each such system and all other systems or\n                                       networks, including those not operated by or under the control of the agency.\n\n                                       Response Categories:\n                 3.b.                                                                                                                                                            - Approximately 96-100% complete\n                                            - Approximately 0-50% complete\n                                            - Approximately 51-70% complete\n                                            - Approximately 71-80% complete\n                                            - Approximately 81-95% complete\n                                            - Approximately 96-100% complete\n\n                  3.c.                 The OIG generally agrees with the CIO on the number of agency owned systems.                                                                                            Yes\n\n                                       The OIG generally agrees with the CIO on the number of information systems\n                 3.d.                                                                                                                                                                                          Yes\n                                       used or operated by a contractor of the agency or other organization on behalf of the agency.\n\n                  3.e.                 The agency inventory is maintained and updated at least annually.                                                                                                       Yes\n\n\n                  3.f.                 The agency has completed system e-authentication risk assessments.                                                                                                      Yes\n\n                                                                                                                           Question 4\n\nThrough this question, and in the format provided below, assess whether the agency has developed, implemented, and is managing an agency wide plan of action and milestone (POA&M) process. Evaluate the degree to which the following\nstatements reflect the status in your agency by choosing from the responses provided in the drop down menu. If appropriate or necessary, include comments in the area provided below.\n\nFor items 4a.-4.f, the response categories are as follows:\n\n      -   Rarely, for example, approximately 0-50% of the time\n      -   Sometimes, for example, approximately 51-70% of the time\n      -   Frequently, for example, approximately 71-80% of the time\n      -   Mostly, for example, approximately 81-95% of the time\n      -   Almost Always, for example, approximately 96-100% of the time\n\n\n                                       The POA&M is an agency wide process, incorporating all known IT security weaknesses associated with information systems\n                  4.a.                                                                                                                                                      - Almost Always, for example, approximately 96-100% of the time\n                                       used or operated by the agency or by a contractor of the agency or other organization on behalf of the agency.\n\n\n                                       When an IT security weakness is identified, program officials (including CIOs, if they own or operate a system) develop,\n                 4.b.                                                                                                                                                       - Almost Always, for example, approximately 96-100% of the time\n                                       implement, and manage POA&Ms for their system(s).\n\n\n\n                  4.c.                 Program officials, including contractors, report to the CIO on a regular basis (at least quarterly) on their remediation progress.   - Almost Always, for example, approximately 96-100% of the time\n\n\n\n                 4.d.                  CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.                                         - Almost Always, for example, approximately 96-100% of the time\n\n\n\n                  4.e.                 OIG findings are incorporated into the POA&M process.                                                                                - Almost Always, for example, approximately 96-100% of the time\n\n\n\n                                       POA&M process prioritizes IT security weaknesses to help ensure significant IT security weaknesses are addressed in a timely\n                  4.f.                                                                                                                                                      - Almost Always, for example, approximately 96-100% of the time\n                                       manner and receive appropriate resources\n\nComments:\n\n\n\n                                                                                                                           Question 5\n\n\nOI GAs  ses\n          smentoftheCer\n                      tif\n                        ica\n                          tionandAccr e\n                                      dit\n                                        ati\n                                          onPr oc\n                                                ess.OMBi srequest\n                                                                ingIGstoprovideaqual\n                                                                                   it\n                                                                                    ati\n                                                                                      veass\n                                                                                          essmentoftheagency\xe2\x80\x99\n                                                                                                            sce r\n                                                                                                                tif\n                                                                                                                  ica\n                                                                                                                    ti\n                                                                                                                     ona ndaccr\n                                                                                                                              edi\n                                                                                                                                tat\n                                                                                                                                  ionproce\n                                                                                                                                         s s\n                                                                                                                                           ,inc\n                                                                                                                                              ludingadher\n                                                                                                                                                        encetoexisti\n                                                                                                                                                                   ngpoli\n                                                                                                                                                                        cy,guida\n                                                                                                                                                                               nce,andst\n                                                                                                                                                                                       a ndards.\nAge nc ie\n        sshal\n            lfol\n               lowNI STSpecialPubl\n                                 ica\n                                   tion800-37,\xe2\x80\x9cGuidefort\n                                                       heSecuri\n                                                              tyCert\n                                                                   ifi\n                                                                     cati\n                                                                        onandAc cr\n                                                                                 edi\n                                                                                   tat\n                                                                                     ionofFeder\n                                                                                              alInformat\n                                                                                                       ionSyst\n                                                                                                             e ms\xe2\x80\x9d(Ma y,2004)f\n                                                                                                                             orce\n                                                                                                                                rti\n                                                                                                                                  fica\n                                                                                                                                     tionandaccr\n                                                                                                                                               editat\n                                                                                                                                                    ionworkinit\n                                                                                                                                                              iat\n                                                                                                                                                                eda f\n                                                                                                                                                                    terMay,2004.Thisinc\n                                                                                                                                                                                      lude suseofthe\nFIPS199(  Februa\n               ry,2004)\n                      ,\xe2\x80\x9cSta\n                          nda r\n                              dsforSecuri\n                                        tyCa t\n                                             egori\n                                                 zati\n                                                    onofFede\n                                                           ralInfor\n                                                                  ma t\n                                                                     ionandInfor\n                                                                               mati\n                                                                                  onSyste\n                                                                                        ms ,\n                                                                                           \xe2\x80\x9dtodeter\n                                                                                                  mi neanimpactlevel\n                                                                                                                   ,aswe l\n                                                                                                                         lasass\n                                                                                                                              oci\n                                                                                                                                atedNISTdoc umentsusedasguidanc\n                                                                                                                                                              ef orcomple\n                                                                                                                                                                        tingri\n                                                                                                                                                                             skass\n                                                                                                                                                                                 essmentsa ndsecur\n                                                                                                                                                                                                 ity\nplans .\n\n\n                                       Assess the overall quality of the Department\'s certification and accreditation process.\n                                       Response Categories:\n                                             - Excellent\n                                             - Good\n                                                                                                                                                                            - Good\n                                             - Satisfactory\n                                             - Poor\n                                             - Failing\n\nComments: In FY 2005, FCA contracted with Pinnacle CSI to perform an assessment of FCA\'s certification and accreditation policies and procedures to provide management with a level of confidence that their systems and applications operate\neffectively and that the proper policies and procedures to mitigate risks to an acceptable level are in place. In addition, Pinnacle CSI performed a Certification and Accreditation (C&A) on FCA\'s Windows 2003 System in accordance with NIST\nSpecial Publication 800-37. FCA reviews third party documents (e.g. SAS 70 reports) for evidence of C&A\'s on their contractor systems. During our evaluation FCA indicated they plan to conduct formal C&A\'s on two more of their systems in FY\n2006. In FY 2005 FCA\'s C&A policies, procedures, and guidelines were updated to adhere to NIST Special Publication 800-37.\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.,                                                                                                                                                                                    9\nfor the FCA Office of Inspector General\n\x0c                                          Agreed-upon Procedures Report: FISMA Evaluation\n\n                                                                      Section B: Inspector General. Question 6, 7, 8, and 9.\n\n                                                                            Agency Name: Farm Credit Administration\n\n                                                                                            Question 6\n                        Is there an agency wide security configuration policy?\n        6.a.                                                                                                                                                Yes\n                        Yes or No.\n                        Comments:\n\n                        Configuration guides are available for the products listed below. Identify which software is addressed in the agency wide security configuration policy. Indicate\n        6.b.            whether or not any agency systems run the software. In addition, approximate the extent of implementation of the security configuration policy on the systems\n                        running the software.\n\n                                                                                                                               Approximate the extent of implementation of the security\n                                                                                                                               configuration policy on the systems running the software.\n\n                                                                                                                           Response choices include:\n                                                                                                                           - Rarely, or, on approximately 0-50% of the\n                                                                                                                             systems running this software\n                                                                                                                           - Sometimes, or on approximately 51-70% of\n           Product                                                                                                           the systems running this software\n                                                                                                                           - Frequently, or on approximately 71-80% of\n                                                                     Addressed in agencywide\n                                                                                                                             the systems running this software\n                                                                             policy?             Do any agency systems run - Mostly, or on approximately 81-95% of the\n                                                                                                       this software?        systems running this software\n                                                                                                                           - Almost Always, or on approximately 96-100% of the systems\n                                                                                 Yes, No,                                  running this software\n                                                                                 or N/A.                 Yes or No.\n                                                                                                                                     - Almost Always, or on approximately 96-100% of the\n               Windows XP Professional\n                                                                                   Yes                       Yes               systems running this software\n                                                                                                                                     - Almost Always, or on approximately 96-100% of the\n               Windows NT\n                                                                                   Yes                       Yes               systems running this software\n                                                                                                                                     - Almost Always, or on approximately 96-100% of the\n               Windows 2000 Professional\n                                                                                   Yes                       Yes               systems running this software\n                                                                                                                                     - Almost Always, or on approximately 96-100% of the\n               Windows 2000 Server\n                                                                                   Yes                       Yes               systems running this software\n                                                                                                                                     - Almost Always, or on approximately 96-100% of the\n               Windows 2003 Server\n                                                                                   Yes                       Yes               systems running this software\n\n               Solaris\n                                                                                   N/A\n\n               HP-UX\n                                                                                   N/A\n\n               Linux\n                                                                                   N/A\n                                                                                                                                     - Almost Always, or on approximately 96-100% of the\n               Cisco Router IOS\n                                                                                   Yes                       Yes               systems running this software\n                                                                                                                                     - Almost Always, or on approximately 96-100% of the\n               Oracle\n                                                                                   Yes                       Yes               systems running this software\n\n               Other. Specify:\n                                                                                   N/A\nComments:\n\n                                                                                            Question 7\n\nIndicate whether or not the following policies and procedures are in place at your agency. If appropriate or necessary, include comments in the area provided below.\n\n                        The agency follows documented policies and procedures for identifying and reporting\n        7.a.            incidents internally.                                                                                                               Yes\n                        Yes or No.\n                        The agency follows documented policies and procedures for external reporting to law\n        7.b.            enforcement authorities.                                                                                                            Yes\n                        Yes or No.\n                        The agency follows defined procedures for reporting to the United States Computer\n        7.c.            Emergency Readiness Team (US-CERT). http://www.us-cert.gov                                                                          Yes\n                        Yes or No.\nComments:\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.,                                                                                                                      10\nfor the FCA Office of Inspector General\n\x0c                          Agreed-upon Procedures Report: FISMA Evaluation\n\n                                                                       Question 8\n\n           Has the agency ensured security training and awareness of all employees, including\n           contractors and those employees with significant IT security responsibilities?\n\n           Response Choices include:\n           - Rarely, or, approximately 0-50% of employees have sufficient training\n                                                                                                            - Almost Always, or approximately 96-100% of employees have\n     8      - Sometimes, or approximately 51-70% of employees have sufficient training\n                                                                                                           sufficient training\n            - Frequently, or approximately 71-80% of employees have sufficient training\n            - Mostly, or approximately 81-95% of employees have sufficient training\n            - Almost Always, or approximately 96-100% of employees have sufficient training\n\n\n\n                                                                       Question 9\n\n           Does the agency explain policies regarding peer-to-peer file sharing in IT security awareness\n     9     training, ethics training, or any other agency wide training?                                                                Yes\n           Yes or No.\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.,                                                                                                   11\nfor the FCA Office of Inspector General\n\x0c                     Agreed-upon Procedures Report: FISMA Evaluation\n\n\nAppendix A \xe2\x80\x93Agency Systems\n\nOur procedures were applied to the following agency systems.\n\n1) Major Applications\n\n   a. Federal Financial System (FFS)\n\n       \xef\x82\xb7 FFS is the major application that supports all FCA core accounting functions\n         including budget execution, accounts payable, disbursements, purchasing, travel,\n         accounts receivable, general ledger, document tracking, project cost accounting, and\n         external reporting. FFS is a mainframe computer financial management system. FFS\n         is processed by the United States Geological Survey (USGS)/National Business\n         Center (NBC), and American Management Systems, Inc. (AMS). The FFS software\n         is owned and maintained by AMS. AMS is responsible for providing development\n         activities including regular upgrades, fixes, and requested enhancements to maintain\n         the core FFS software. NBC personnel are responsible for defining and developing\n         processes to retrieve or receive data from external sources to develop corresponding\n         programs that enable FFS to load the data accordingly. FCA\xe2\x80\x99          s FFS s  ecuri\n                                                                                           ty\n         administrator, located in the Chief Financial Office is responsible for managing\n         security access control to the FFS agency application. FFS was placed in production\n         in June 2001.\n\n   b. Payroll Services from National Finance Center (NFC)\n\n       \xef\x82\xb7 USDA\'s NFC located in New Orleans, Louisiana provides the Personnel/Payroll\n         System (PPS) to FCA. NFC provides distributed application and telecommunications\n         support for the remote site located in McLean, Virginia. NFC developed a "master\n         security plan" for the general support system in New Orleans. FCA\'s Chief\n         Administrative Office maintains a security plan for the remote system at FCA that\n         incorporates provisions of the master security plan.\n\n   c. Consolidated Reporting System (CRS)\n\n       CRS is a major application that supports FCA operations. CRS is an Oracle relational\n       database containing financial and statistical information on active and inactive System\n       institutions. CRS contains three distinct subsystems that are Call Report, Loan Account\n       Reporting System (LARS), and Web-based CRS Reports:\n\n       \xef\x82\xb7 Call Report is comprised of financial information including a statement of condition,\n         statement of income, and supporting schedules that is collected quarterly from the\n         System institutions. Call Report subsystem is monitored, analyzed, and assessed by\n         FCA examiners and financial analysts to ensure that the integrity and confidentiality\n         of financial data are maintained.\n\n       \xef\x82\xb7 LARS database contains specific loans of System lender institutions. Such institutions\n         submit the data quarterly to FCA via diskette or zip file. The loan data are loaded\n         using SQLLoader, and are then verified and validated by FCA personnel.\n\n       \xef\x82\xb7 Web-based CRS Reports is an FCA developed application using the JavaScript\n         front-end interface and an Oracle database back-end application. The reports are built\nPrepared by Harper, Rains, Knight & Company, P.A.,                                          12\nfor the FCA Office of Inspector General\n\x0c                    Agreed-upon Procedures Report: FISMA Evaluation\n\n          using e-Reporting Suite, and are available on FCA\'s Web site. The Freedom of\n          Information Act (FOIA) versions of the reports are available to the public. The\n          non-FOIA versions of the reports are available to users who are authorized to view\n          their institution data.\n\n   d. Lotus Domino (Notes)\n\n      \xef\x82\xb7 The Notes application is a database system software owned and maintained by FCA.\n        The application supports the daily administrative tasks including e-mail, group\n        discussion, calendaring and scheduling, database management, forms, and workflow\n        of FCA.\n\n2) General Support Systems\n\n   a. Windows 2003 Network\n\n      \xef\x82\xb7 Windows 2003 is an operating system or the core program of a computer that allows\n        the other programs and applications to operate. Windows 2003 is fully integrated with\n        networking capabilities and was designed for client/server computing to facilitate user\n        workstation connections to servers and the sharing of information and services among\n        computers.\n\n      \xef\x82\xb7 Windows 2003 Server is the primary operating system installed on substantially all\n        servers in the FCA network. Additionally, Windows 2000 and XP are installed on\n        agency laptop and desktop computers where they function as a client to the FCA\n        network as well as a stand-alone operating system for the client hardware. Through\n        Windows 2000/XP, users can access network services such as file servers, e-mail, the\n        Internet, applications and shared hardware such as printers.\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.,                                          13\nfor the FCA Office of Inspector General\n\x0c                    Agreed-upon Procedures Report: FISMA Evaluation\n\n\n\nAppendix B \xe2\x80\x93Acronyms and Abbreviations\n\nAMS          American Management Systems, Inc.\nC&A          Certification and Accreditation\nCIO          Chief Information Officer\nCOGCON       Continuity of Government Condition System\nCRS          Consolidated Reporting System\nFCA          Farm Credit Administration\nFFS          Federal Financial System\nFISCAM       Federal Information System Controls Audit Manual\nFISMA        Federal Information Security Management Act\nFOIA         Freedom of Information Act\nFY           Fiscal Year\nGAO          Government Accountability Office\nIT           Information Technology\nLARS         Loan Account Reporting System\nNBC          National Business Center\nNFC          National Finance Center\nNIST         National Institute of Standards and Technology\nOCAO         Office of the Chief Administrative Officer\nOCFO         Office of the Chief Financial Officer\nOIG          Office of the Inspector General\nOMB          Office of Management and Budget\nPOA&M        Plan of Action and Milestone\nPPS          Personnel/Payroll System\nSystem       Farm Credit System\nUS-CERT      United States Computer Emergency Readiness Team\nUSGS         United States Geological Survey\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.,                    14\nfor the FCA Office of Inspector General\n\x0c'